From owner-freebsd-hackers Wed Apr 29 11:45:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA03045 for freebsd-hackers-outgoing; Wed, 29 Apr 1998 11:45:15 -0700 (PDT) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id LAA03028 for ; Wed, 29 Apr 1998 11:45:08 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (950413.SGI.8.6.12/950213.SGI.AUTOCF) id OAA28546; Wed, 29 Apr 1998 14:22:17 -0400 From: "Allen Smith" Message-Id: <9804291422.ZM28544@beatrice.rutgers.edu> Date: Wed, 29 Apr 1998 14:22:17 -0400 In-Reply-To: Jonathan Lemon "Re: Proxy ARP for transparent firewalling: arp -s pub vs choparp" (Apr 29, 1:20pm) References: <9804291312.ZM27991@beatrice.rutgers.edu> <19980429132003.21663@right.PCS> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: Jonathan Lemon , freebsd-hackers@FreeBSD.ORG Subject: Re: Proxy ARP for transparent firewalling: arp -s pub vs choparp Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Apr 29, 1:20pm, Jonathan Lemon (possibly) wrote: > I have a similar situation, so I should describe what I have setup. Thank you. > > [network]---[ firewall ]--------------------[machineN] > de0 de1 ip: y.y.y.y > ip: x.x.x.x ip: x.x.x.x > ether: a:a:a:a:a:a ether: b:b:b:b:b:b > > Change the /etc/rc.conf on the firewall to: > > 1. configure the firewall interfaces identically: > > ifconfig_de0="inet x.x.x.x netmask 0xffff0000" > ifconfig_de1="inet x.x.x.x netmask 0xffff0000" I may not be seeing something that should be obvious, but why do you have them as the same IP address? Wouldn't this interfere with doing proxying for ftp (needed due to the data connection for interfacing with servers that don't do passive connections properly), etcetera? (We're mainly planning on doing packet filtering, but will do proxying where necessary.) > 2. install direct interface routes for each machine behind > the firewall: > > static_routes="machine1" > route_machine1="y.y.y.y -link de1:b:b:b:b:b:b -iface" > > 3. turn on proxyall (this will pass all arp requests back and > forth between the two interfaces) > > arpproxy_all="YES" Interesting... > 4. add permanent ARP entries for each machine behind the firewall: > (place this in something like /etc/rc.conf.local) > > arp -s machine1 auto pub > > Now, when: > > - the firewall gets an ARP request for any of machineN, it will > answer with it's own MAC entry. Right... > - the firewall gets an IP packet for machineN, it will use the > interface route to send the packet to the internal network. Good... ip_filter with fastroute should work the same way. > - machineN sends an ARP reply, the firewall will use this > for sending to machineN, instead of the `published' MAC entry. Good... > - machineN sends an ARP request, the firewall will forward the > request/reply between the two interfaces. Huh. How is the inner interface of the firewall going to be getting packets with ethernet addresses of exterior machines? If you've instead got the inner machines set up to route to the firewall's inner interface, why should they need to send any ARP requests for exterior machines? > > This may not be the best way to do this, but it works for me. :-) It's certainly not something I'd have ever thought of, but it may be useful. I'll have to think on it some more. Thanks, -Allen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message